Fighting Cyber Attacks during the Burmese Elections

9th Nov 10:30 AM – A penetration test via the TOR network

An attempt to find vulnerable plugins running on the Irrawaddy.org site is detected. The attempt is carried out via the TOR network. The attacker scans the themes and plugins folder, and checked for theme/plugin version in the mandatory changelog.txt file.

12th Nov 15 PM – Show is over

As a result of our intervention, the Irrawaddy’s news sites have worked flawlessly during the election period. During the past 7 days, the following actions have been taken to secure the infrastructure of Irrawaddy:

Received credentials from the affected organization

Identified Cloudflare mitigation bypass methods

Identified Origin server

Reviewed the existing plugins and its vulnerabilities

Identified malicious activity in two servers and several backdoors

Removed backdoors and installed an alert system to track when the intruders were trying to access the server again.

Disabled PHP functions that could be exploited by the attackers

Reset all passwords from main CMSs

Enforced files system attributes to deny file access to critical part of the CMSs

Identified a new vulnerability scan via the TOR network

Communicated the results of our findings to the Irrawaddy team on a daily basis.

The attackers are now aware of our existence and interventions, as they have noticed that their backdoors have been blocked. We are now closing this Rapid Response case.